About CosminM

Hello,   If you configure your ISP connections on separate firewall ports you should achieve what you want. For example: ISP1 configured on Ethernet1/7 and ISP2 configured on Ethernet1/8. On the active firewall connect only ISP1 on Ethernet1/7 and on passive firewall connect only ISP2 on Ethernet1/8. On both firewall you will have 2 default routes pointing to every ISP next hop and the active firewall will chose one of them based on connectivity status. Also, you need to take care of some source NAT, if it's the case. Basically, you will make the configuration like both ISP are connected to the same firewall. on different interfaces. What will be different, and you will configure on each firewall are automatic failover conditions. ... View more

Hello @ateshasan , What certificate was revoked? ... View more

Hello, Have you enabled User identification when you configure L3-trust security zone? https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/user-id/enable-user-id  If you don't enable user identification on source zone, then the security policy will not take into account User-ID info. ... View more

Hello, Have you enabled Certificate Authentication for one Administrator? If yes, then no one else can login with username and password. "Configuring certificate-based authentication for any administrator disables the username/password logins for all administrators on the firewall; administrators thereafter require the certificate to log in." https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/firewall-administration/manage-firewall-administrators/configure-administrative-accounts-and-authentication/configure-certificate-based-administrator-authentication-to-the-web-interface  ... View more

Hello, Your criteria's:                     APPLICATION in security policy is mssql ,oracle , rpc.                     Service ANY will match all the traffic until a few packets will go thru your firewall. First you need to understand why you are seeing Insufficient Data: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClibCAC  Then, every application has standard protocol and ports and maybe an inter-dependency. https://applipedia.paloaltonetworks.com/  https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClV0CAK  In your particular case, I recommend doing at least two thinks: replace service ANY with APPLICATION-DEFAULT put msrpc into a separate security policy because it using dynamic ports (tcp/dynamic,udp/dynamic) and add extra criteria in that security policy (like: source IP, destination IP, source user if you can) And try to avoid using msrpc (it's a application container) because once you allow the container, you are allowing everything from that container.   ... View more

The HA4 link between cluster nodes is an L2 connection. "HA clusters support a Layer 3 or virtual wire deployment." This means that on a firewall that is part of an HA cluster, you can only configure Layer 3 or virtual wire security zones for transit traffic. For instance, you cannot use an L2 security zone on such a firewall node. ... View more

Hello,   You could try to configure a Brute Force protection mechanism. More details can be found here: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClJ2CAK  ... View more

Hello @M.Allen  First you are looking in two different places. The first image with AUX's interfaces it's from Panorama (Template > Device > Setup > Interfaces) and the second image without AUX it's from firewall GUI (Device > Setup > Interfaces). The AUX's interfaces are used only when you are configuring a PA-5200 series firewall from Panorama. https://docs.paloaltonetworks.com/hardware/pa-5200-hardware-reference/pa-5200-series-firewall-overview/pa-5200-front-panel    The PA-5200 series are End-of-Sales by now. https://www.paloaltonetworks.com/services/support/end-of-life-announcements/hardware-end-of-life-dates  ... View more

Thank you @S-Battermann for the new certificate. I tested and it's working. I even update the full procedure from my older post. ... View more

Hi,   Mine it's working all the time, but I forgot to update also the Custom URL on the post. I did it just now. You need to have on the Custom URL also: *.net.anydesk.com/   ... View more

Hi @MatwoksNetTeam  Even in the past, importing the Anydesk Root CA into the firewall did not mean that we were decrypting the traffic. Then we just mark that issuer as reliable. So, the risk of transferring malicious files is the same, that's why it's good to have security solutions on the end-points as well.   I just updated my older post (https://live.paloaltonetworks.com/t5/general-topics/anydesk-issue/td-p/198761/page/2) to match the new Apryl 2024 changes. ... View more

Hi @S.Support212931 , One of the steps it's to create a service for TCP destination port 6568. The source port it's dynamic and in your service should be empty. ... View more

Hello,   Since I wasn't able to capture the actual AnyNet Root CA 2, I just modify my decryption profile as follows:   All the rest remain as described on my comments (see on second page).   ... View more

Hello @ArtursOstapenko  Please see my comments from this post: https://live.paloaltonetworks.com/t5/general-topics/anydesk-issue/td-p/198761 (on second page - it's step 3 Custom URL list) ... View more